Share this story

Further Reading

Federal agents arrested a former NASA contractor at his home in Los Angeles on Thursday, accusing him of sextortion.

According to the August 28 indictment, Richard Gregory Bauer, 28, used Facebook to send questions to his victims for his purported "human societies class." He asked his marks for things like their pets' names and where their parents met—queries that are often similar, if not identical, to prompts used in password-reset tools.

After doing so, he would seemingly use those passwords to access their accounts, sometimes stumbling upon nude or semi-nude photographs. Sometimes, he would convince victims to install malware that included keyloggers, enabling him to capture logins and passwords.

Further Reading

Prosecutors say Bauer would then send one or more copies of such photos to his female victims and demand more pictures. He allegedly would often specify what types of photos he wanted, such as "just underwear; your face doesn't have to be visible."

If these women did not meet his demands, Bauer threatened to publish photos of them online. It is not clear how many of these women complied with his demands. He is believed to have targeted at least seven women.

Bauer was arraigned in federal court in Los Angeles on Thursday, where he entered a not guilty plea and was represented by Deputy Federal Public Defender Kelly Swanton. He was released on a $50,000 bond.

Share this story

Cyrus Farivar
Cyrus is a Senior Tech Policy Reporter at Ars Technica, and is also a radio producer and author. His latest book, Habeas Data, about the legal cases over the last 50 years that have had an outsized impact on surveillance and privacy law in America, is out now from Melville House. He is based in Oakland, California. Emailcyrus.farivar@arstechnica.com//Twitter@cfarivar

I thought all these things have prompts now that alert their users immediately when someone unknown tries to log into them. Then again, AFAIK 2FA is still optional for the most part, so it's probably little use to get an email about an unknown login, panic and then a few minutes later get one about a password change. Or am I making a mistake somewhere?

I don't understand this kind of sociopathy. That is a lot of work to get nude photos in the age of the internet. That tells me it is more about having power over women and tormenting them than anything pornographic. I really can't understand how anyone would be so obsessive about doing something so terrible.

I don't understand this kind of sociopathy. That is a lot of work to get nude photos in the age of the internet. That tells me it is more about having power over women and tormenting them than anything pornographic. I really can't understand how anyone would be so obsessive about doing something so terrible.

Lots of work, yes, but remember as you said, These types of things aren't about sex, they are about control. That's where the sociopathy comes into play.

I don't understand this kind of sociopathy. That is a lot of work to get nude photos in the age of the internet. That tells me it is more about having power over women and tormenting them than anything pornographic. I really can't understand how anyone would be so obsessive about doing something so terrible.

It’s definitely about power. So terrible? In this day most willingly post nudes, it seems extremely minor to me, he could have done much worse. I’m struggling to see how this is even news on Ars? Is it because he is as NASA contractor? That’s the only stand out piece of info, which is unrelated to the crimes and frankly who cares who he works for.

It is Ars worthy because its:This bad person used "This one weird trick" to socially hack a common password recovery / security feature that is ubiquitous on the internet to invade people's privacy and security and do bad things.

And it most certainly is terrible. I believe it would fall under the definition of sadism.

An excellent example to illustrate just how stupid those "security questions" are.

Not to victim blame, but maybe it's not the smartest idea to set them to the "right" answer. I usually treat them as an extra password and just put in a random string (remembered by the trusty password manager).

The level of sociopathy required is terrifying, it's all about demeaning and removing power and it's horrible.

Having said that, I was speaking to someone very close to me the other day and he said this, which is relevant:

"I work in data acquisition for a large organisation.

For the love of God, people.

Stop sending nudes.

They absolutely, 100% will be viewed by people you don't want to see them in the best case scenario. In the worst case they are disseminated publicly, and in the nightmare case used as blackmail or a weapon against you.

Even if you have a nonexistent impenetrable security routine, the person you sent them to doesn't. And you will almost certainly break up with them in any case.

You might as well be printing them out in movie poster sizes and sticking them up in the Starbucks closest to your house.

Don't. Send. Nudes.

Unless you're happy for the entire world to see them, don't send them."

Not to victim blame, but maybe it's not the smartest idea to set them to the "right" answer. I usually treat them as an extra password and just put in a random string (remembered by the trusty password manager).

My company enforces hard passwords, regular changes and so an. But then there is a password-reset-site which uses stuff like this ("where born, grandmothers name ...") as "security". I complained about it, but I guess they did not get why it is stupid. "Everybody" uses this, so it must be good. *rolleyes*

The level of sociopathy required is terrifying, it's all about demeaning and removing power and it's horrible.

Having said that, I was speaking to someone very close to me the other day and he said this, which is relevant:

"I work in data acquisition for a large organisation.

For the love of God, people.

Stop sending nudes.

They absolutely, 100% will be viewed by people you don't want to see them in the best case scenario. In the worst case they are disseminated publicly, and in the nightmare case used as blackmail or a weapon against you.

Even if you have a nonexistent impenetrable security routine, the person you sent them to doesn't. And you will almost certainly break up with them in any case.

You might as well be printing them out in movie poster sizes and sticking them up in the Starbucks closest to your house.

Don't. Send. Nudes.

Unless you're happy for the entire world to see them, don't send them."

More than that, I have plenty of friends that have admitted to taking nude/near-nude selfies with no intent to send them. Supposedly, it's a mix of checking appearance sans a mirror and "I look good" confidence boosting. People aren't good at analyzing "unlikely" future risks based on current actions.

Not to victim blame, but maybe it's not the smartest idea to set them to the "right" answer. I usually treat them as an extra password and just put in a random string (remembered by the trusty password manager).

My company enforces hard passwords, regular changes and so an. But then there is a password-reset-site which uses stuff like this ("where born, grandmothers name ...") as "security". I complained about it, but I guess they did not get why it is stupid. "Everybody" uses this, so it must be good. *rolleyes*

Indeed, "Industry standard" covers soooo many sins. Hopefully you can use this article to demonstrate their folly to them and drive adoption of 2FA.

Every time this sort of thing happens I am astounded again that there are men stupid enough to do this sort of thing. What scenario plays out in their head that doesn’t end in a prison sentence?

Too much TV. Extortion almost always gets you results on TV, and almost never ends with a visit from the police. It's a plot device, like torture, that's designed to prove what an ass the character is and move the story along, so it doesn't need to account for reality. Viewers then assume blackmail is way more effective than it really is IRL.

The level of sociopathy required is terrifying, it's all about demeaning and removing power and it's horrible.

Having said that, I was speaking to someone very close to me the other day and he said this, which is relevant:

"I work in data acquisition for a large organisation.

For the love of God, people.

Stop sending nudes.

They absolutely, 100% will be viewed by people you don't want to see them in the best case scenario. In the worst case they are disseminated publicly, and in the nightmare case used as blackmail or a weapon against you.

Even if you have a nonexistent impenetrable security routine, the person you sent them to doesn't. And you will almost certainly break up with them in any case.

You might as well be printing them out in movie poster sizes and sticking them up in the Starbucks closest to your house.

Don't. Send. Nudes.

Unless you're happy for the entire world to see them, don't send them."

I agree but...

Imagine a world where we weren't so damn ashamed of our own naked bodies, and where people could freely take and send nude pictures of themselves because there would be no social stigma attached to those pictures getting out.

Here's to hoping that we will one day escape the clutches of such meaningless "morality".

I thought all these things have prompts now that alert their users immediately when someone unknown tries to log into them. Then again, AFAIK 2FA is still optional for the most part, so it's probably little use to get an email about an unknown login, panic and then a few minutes later get one about a password change. Or am I making a mistake somewhere?

Even 2FA doesn't help if the user is naive. Not everyone understands the implications, and I find it difficult to blame the user. It's not like they teach information security at school.

Last year I helped a friend recover an account, I think it was a google account. Someone contacted her on Instagram pretending to be a childhood friend and *somehow* convinced her to send the security code she got over SMS to change her password. You can probably guess the outcome.

I still don't understand the logic behind sending nudes to someone who has compromising information about you

It really is a strange society where your career can be ruined just because some people have seen you naked on the Internet.

That said, the victim's is not necessarily a rational response. These people are in a difficult situation: an unknown man seems to have gained access to a lot of information and they might be very afraid of a lot of things happening from there, which tends to make them easier to manipulate. Being highly stressed and afraid of something that they see could ruin their life/career/marriage, they just do whatever they think they can do to make the problem go away. If the attacker is good, he makes them think that everything will be over if they just send a picture, whilst applying enough psychological pressure so that they don't really stop and think. It is basically the same way you make someone who's been hit by some ransomware send bitcoins to an unknown hacker.

He asked his marks for things like their pets' names and where their parents met—queries that are often similar, if not identical, to prompts used in password-reset tools.

Which is why I hate it when companies used canned questions instead of allowing you to generate your own. They always ask things that any rube can find on Facebook or with simple Google searches on your name. Things like what high school you attended, where you were born, pets name, first car, or other trite garbage. Too many things people keep in their bloody Facebook profiles available to the public at large.

What I recommend people do with places that use such nonsense questions for password recovery. Answer in gibberish or phrases that only mean something to you. If you're asked where you attended high school. Answer with something like, "a boring place that I enjoyed leaving". Don't answer the question with the actual name of the school you attended. Also, don't answer questions asked by randoms on Facebook - EVER!

He asked his marks for things like their pets' names and where their parents met—queries that are often similar, if not identical, to prompts used in password-reset tools.

Which is why I hate it when companies used canned questions instead of allowing you to generate your own. They always ask things that any rube can find on Facebook or with simple Google searches on your name. Things like what high school you attended, where you were born, pets name, first car, or other trite garbage. Too many things people keep in their bloody Facebook profiles available to the public at large.

What I recommend people do with places that use such nonsense questions for password recovery. Answer in gibberish or phrases that only mean something to you. If you're asked where you attended high school. Answer with something like, "a boring place that I enjoyed leaving". Don't answer the question with the actual name of the school you attended. Also, don't answer questions asked by randoms on Facebook - EVER!

Yeah, I typically answer with things that have no relevance to the question. "Where did you go to high school?" "Leeroy Jenkins". "What's your mother's middle name?" "Pi to the eighteenth digit." Etc.

Every time this sort of thing happens I am astounded again that there are men stupid enough to do this sort of thing. What scenario plays out in their head that doesn’t end in a prison sentence?

its not just men, women extort and blackmail too but just differently and maybe not as direct as this guy. Extortion and blackmail can take many forms. Its somehow more sensational when its done with technology which happens to be the vehicle chosen by this type of male extortionist, so it makes the news more now a days.

An excellent example to illustrate just how stupid those "security questions" are.

Not to victim blame, but maybe it's not the smartest idea to set them to the "right" answer. I usually treat them as an extra password and just put in a random string (remembered by the trusty password manager).

^^^ This. Some security norms nowadays are hopelessly outdated and at time counterproductive. Where I work the powers that be instituted a new 'super sekret seekure' setup for password recovery. It used two 'great' ideas. First was to ask a whole slew of those personal questions, more than I've ever seen on any other site. Nope. I'm certain that after two decades of that system that that information is either in the wild or easily guessed with some google-fu. The second, and this is beautiful, was to have the website disallow pasting into any dialog boxes. This actively blocked me from using a password manager (keepass in my case) to paste in a unique 30 digit (upper case, lower case, special characters, numbers, spaces, etc....) password to ensure security. It almost actively demanded a simple password to be used in order not to take an inordinate amount of time to enter a password.

Security questions? All randomized digits as well.

If anyone runs into issues with pasting being blocked in websites, google 'don't fuck with paste' for chrome. While the code can be inserted manually, the above is just easy-peasy and a lifesend.

The level of sociopathy required is terrifying, it's all about demeaning and removing power and it's horrible.

Having said that, I was speaking to someone very close to me the other day and he said this, which is relevant:

"I work in data acquisition for a large organisation.

For the love of God, people.

Stop sending nudes.

They absolutely, 100% will be viewed by people you don't want to see them in the best case scenario. In the worst case they are disseminated publicly, and in the nightmare case used as blackmail or a weapon against you.

Even if you have a nonexistent impenetrable security routine, the person you sent them to doesn't. And you will almost certainly break up with them in any case.

You might as well be printing them out in movie poster sizes and sticking them up in the Starbucks closest to your house.

Don't. Send. Nudes.

Unless you're happy for the entire world to see them, don't send them."

I agree but...

Imagine a world where we weren't so damn ashamed of our own naked bodies, and where people could freely take and send nude pictures of themselves because there would be no social stigma attached to those pictures getting out.

Here's to hoping that we will one day escape the clutches of such meaningless "morality".

Absolutely. I've never understood why the US is perfectly OK with showing people getting killed in various ways, often graphic, yet when it comes to showing a little skin you're going straight to hell. I think we have things backwards.

I can honestly say that after smartphones came about I sent and received nudes with every girl I ever dated. It was part of the flirting process. It was fun. I highly recommend it.

Also, I've seen at least one comment that said nudes = porn. I would hate to have that person's narrow mind.